Very Un-Guest-Like Behavior
It's certainly not the news VMware wanted the day before its big VMworld Europe 2008
conference kicks off, but a critical vulnerability
has been found that affects VMware Workstation, along with VMware Player and VMware ACE.
As of Monday morning, a fix hadn't been posted on VMware's Website. The only solution at the moment is to turn off shared folders, which is the source of the problem. That, of course, seriously reduces the functionality of the affected products. Not good news for VMware.
The flaw is analagous to an old friend staying in your home. The friend, unknown to you, has developed a drug habit over the years. One day when you're off at work, he steals your silver and your new MacBook Air and pawns them to feed his need for speed.
In this case, a program running in a guest can take control of the host machine and muck around good, including creating and modifying executables. In other words, you'd be completely hosed.
The affected versions of programs, according to VMware:
Windows hosted versions of
- VMware Workstation 6.0.2 and earlier
- VMware Workstation 5.5.4 and earlier
- VMware Player 2.0.2 and earlier
- VMware Player 1.0.4 and earlier
- VMware ACE 2.0.2 and earlier
- VMware ACE 1.0.2 and earlier
VMware Fusion is unaffected -- it's only the Windows products. Also note that VMware Server and ESX Server aren't vulnerable.
Shared folders in general is a good idea. Very often there's a need to share files between the guest and its host. For instance, I use Fusion on my MacBook Pro. There are often times when I need to transfer data to and from Office files on my respective OSes -- Office for Mac on the host (OS X), and the version of Office that resides in my Fusion-housed guest, Windows XP. Ideally, the only files that can be read and written to are the ones in the shared folders. The flaw, however, allows the malware in the guest OS to infiltrate the entire file system of the host. And that's a bad thing, as you've probably guessed.
VMware states that the shared folders feature is disabled by default in those programs. That's good (and a security attitude that would have saved Microsoft, for instance, tons of grief if it had instituted from the beginning). But it's hard to imagine anyone working in a VM for more than an hour without needing to enable shared folders, so my guess is that shared folders is "on" in most environments.
Here's VMware's instructions on how to disable shared folders:
To disable shared folders in the Global settings:
From the VMware product's menu, choose Edit > Preferences.
In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.
To disable shared folders for the individual virtual machine settings:
From the VMware product's menu, choose VM > Settings.
In the Options tab, select Shared Folders and Disable.
Do not mess around with this vulnerability. If you're an admin with Workstation, Player or ACE in your environment, make this Job No. 1 today.
Posted by Keith Ward on 02/25/2008 at 12:48 PM